Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Hyundai Motor America is patching its Blue Link Mobile application for several vulnerabilities that could have potentially exposed vehicle owners to risk. The Blue Link Mobile application works with Hyundai vehicles from the 2012 model year and newer, providing remote locking and unlocking capabilities, as well as location services and vehicle starting.

The vulnerabilities were reported to Hyundai by security firm Rapid7 and involved the use of a hard-coded decryption password as well as the use of cleartext communication for the Blue Link mobile app.

"The potential data exposure can be exploited one user at a time via passive listening on insecure WiFi, or by standard man-in-the-middle (MitM)," Rapid7 wrote in its security advisory on the Hyundai Blue Link vulnerabilities.

Though Rapid7 is the organization that reported the issues to Hyundai, it was actually a pair of non-Rapid7 employees that first became aware of the vulnerabilities.

Further reading

"William Hatzer noticed the behavior when he himself became a Hyundai Blue Link user, after buying a new Hyundai automobile," Tod Beardsley, Director of Research at Rapid7, told eWEEK. "Hatzer came to Rapid7 based on our reputation and experience as vulnerability handlers and our ability to coordinate and mediate vulnerability disclosures."

The vulnerabilities were not in the firmware located in the vehicle, but rather were found in the mobile apps. Beardsley said that the issue was present in both Android and iPhone versions of the application, but the investigation work was all performed on Android. The fixed Android app was published in Google's app store on March 6, while the iOS version was updated on March 8.

Beardsley explained that there were two vulnerabilities in the Blue Link apps: the cleartext, eavesdroppable communication and the data encrypted with a discoverable pre-shared key. He noted that since the data is encrypted, an attacker cannot directly use it; an attacker needs both a mechanism to get a hold of the encrypted data (which is possible due to the lack of an HTTPS transport), and the symmetric encryption key used to encrypt the log data being transmitted.

"If the transport mechanism had used certificate-based encryption, such as HTTPS, rather than HTTP, the data would have been safe in transport even if the attacker knew the encryption key," Beardsley said. "So, the attacker needs both vulnerabilities to actually do anything malicious."

The Blue Link attack likely would be very difficult to scale, for several reasons. Beardsley said that in order to attack at scale, an attacker would have to compromise an ISP that services Hyundai's data operations; this seems unlikely to have happened.

"Given that this is merely an information disclosure, it seems the best, most likely attack vector would have been the physically local malicious WiFi hotspot, targeting either specific Hyundai owners or Hyundai service centers," Beardsley said.

At this point, neither Rapid7 nor Hyundai has any evidence that the information disclosure flaw has ever been used by attackers in the wild. The logging feature in the Blue Link apps, which is where the vulnerability was found, only became available on Dec. 8, 2016 in version 3.9.4 of the app. Beardsley suspects that given the limited time the vulnerability was shipping, the vulnerability wasn't exploited in the wild before Hyundai effected a fix.

"It's impossible to say for sure that Hatzer is the only person to have noticed this vulnerable behavior," Beardsley said. "But it seems quite likely, to the point of near certainty, that the issue was discovered and remediated before criminal actors could make use of it."

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.